Java SSLHandshakeException“没有共同的密码套件”
我正在使用SSLServerSocket来接受我的openSUSE服务器上的客户端连接,但是他们都不能连接。 我总是得到一个SSLHandshakeException,说no cipher suites in common
。 我已经激活了所有可能的套件,启用了多个协议,尝试了最新的Oracle JRE和openjdk。 另外,我在论坛和其他东西上跟着其他post,并“解锁”了Oracle的所有密码套件,并且改变了openjdk jre的设置,如下所示:
禁用: #security.provider.10=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
并启用: security.provider.9=sun.security.ec.SunEC
这是我如何初始化我的SSLServerSocket:
System.setProperty("javax.net.ssl.keyStore", "./keystore"); System.setProperty("javax.net.ssl.keyStorePassword", "nopassword"); java.lang.System.setProperty("sun.security.ssl.allowUnsafeRenegotiation", "true"); // Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() { public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) { } public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) { } public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; } } }; // Install the all-trusting trust manager SSLContext sc = SSLContext.getInstance("TLSv1.2"); sc.init(null, trustAllCerts, new SecureRandom()); SSLServerSocket ssl = (SSLServerSocket) sc.getServerSocketFactory().createServerSocket( DownloadFilelist.PORT); // Got rid of: //ssl.setEnabledCipherSuites(sc.getServerSocketFactory().getSupportedCipherSuites()); ssl.setEnabledProtocols(new String[] {"TLSv1", "TLSv1.1", "TLSv1.2", "SSLv3"}); // System.out.println(Arrays.toString(ssl.getEnabledCipherSuites())); s = ssl; // s = new ServerSocket(DownloadFilelist.PORT); s.setSoTimeout(TIMEOUT);
问题是我找不出客户想要的密码套件,我也不能影响它。 我用-Djavax.net.debug=ssl,handshake
, 这里是结果。 你们有人能弄清楚是什么问题吗?
编辑 keystore是使用以下命令生成的: keytool -genkey -keyalg RSA -keystore ./keystore
下面是这个页面上的代码,如果有帮助的话(看起来格式不会混乱):
trigger seeding of SecureRandom trigger seeding of SecureRandom done seeding SecureRandom done seeding SecureRandom Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA main, setSoTimeout(2000) called Allow unsafe renegotiation: true Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false %% No cached client session *** ClientHello, TLSv1 RandomCookie: GMT: 1361763651 bytes = { 159, 113, 250, 254, 103, 37, 66, 234, 127, 4, 36, 240, 60, 252, 55, 112, 6, 224, 192, 181, 146, 163, 63, 148, 152, 255, 77, 8 } Session ID: {} Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } *** main, WRITE: TLSv1 Handshake, length = 67 main, READ: TLSv1 Handshake, length = 81 *** ServerHello, TLSv1 RandomCookie: GMT: 1361763767 bytes = { 249, 20, 120, 68, 76, 110, 168, 235, 47, 91, 119, 64, 151, 242, 169, 191, 111, 105, 146, 90, 173, 223, 55, 127, 133, 12, 1, 247 } Session ID: {246, 66, 250, 209, 13, 188, 190, 246, 14, 49, 113, 183, 192, 202, 68, 246, 121, 162, 165, 71, 242, 220, 233, 223, 245, 47, 250, 215, 203, 94, 255, 148} Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA Compression Method: 0 Extension renegotiation_info, renegotiated_connection: <empty> *** %% Initialized: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA] ** TLS_RSA_WITH_AES_256_CBC_SHA main, READ: TLSv1 Handshake, length = 933 *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=dc.hadiko.de, O=hadiko dc, L=town, ST=land of the free, C=de Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: public exponent: 65537 Validity: [From: Sat Jul 07 12:56:23 CEST 2012, To: Tue Jul 07 12:56:23 CEST 2015] Issuer: CN=dc.hadiko.de, O=hadiko dc, L=town, ST=land of the free, C=de SerialNumber: [ 8682354f f94fbbb5] Certificate Extensions: 3 [1]: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 43 1D D9 A7 CF 21 2E 17 F3 4E EE F6 6C 6C 88 16 C....!...N..ll.. 0010: 08 3C 67 8E .<g. ] ] [2]: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] [3]: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 43 1D D9 A7 CF 21 2E 17 F3 4E EE F6 6C 6C 88 16 C....!...N..ll.. 0010: 08 3C 67 8E .<g. ] ] ] Algorithm: [SHA1withRSA] Signature: 0000: 14 83 48 D3 EC 39 49 E3 9C BC 20 F5 BF E4 32 33 ..H..9I... ...23 0010: 5F 09 8F 2D F2 C3 82 80 79 93 9A C1 97 93 92 D9 _..-....y....... 0020: D0 DA 4D B2 FC A1 43 60 1F B9 EA 4C 29 D7 79 D0 ..M...C`...L).y. 0030: 66 8C 25 14 EB 9D 60 94 D7 F4 15 33 8B 17 24 24 f.%...`....3..$$ 0040: 5C 65 26 3D C3 B0 8A 51 B6 27 01 D1 A6 A3 68 87 \e&=...Q.'....h. 0050: 2D 6F 0B E6 00 96 B6 CF BC E9 D2 9C 7E 19 9E E1 -o.............. 0060: 3A 96 42 2E B7 E8 C0 70 01 99 20 39 89 6D 94 2B :.B....p.. 9.m.+ 0070: 76 2F F1 0E 6D 2D 9B 52 77 D3 63 6A 11 DC A3 E6 v/..m-.Rw.cj.... 0080: 4E 0E 64 6D FA 77 BC 1E 4F C3 91 AD 21 F7 5D 31 N.dm.w..O...!.]1 0090: F9 04 A5 FA 34 EF 43 61 F1 42 32 5A 9B D1 16 84 ....4.Ca.B2Z.... 00A0: 07 2B CA 01 AF 84 54 D2 A9 C4 3A 7A EA D1 2A 95 .+....T...:z..*. 00B0: 47 30 03 BA 48 C4 57 1F 78 58 6C 7A 56 60 40 2C G0..HWxXlzV`@, 00C0: 6A 17 15 3F 43 A5 FB 81 4D 9D 1B DC A7 CE 78 D1 j..?C...M.....x. 00D0: 5A 66 97 79 04 55 DA 34 3C B2 CD 9A 62 EE 32 22 Zf.yU4<...b.2" 00E0: 70 84 0E 3E 5D 7F 91 0D A5 D4 84 6B F3 E9 40 E9 p..>]......k..@. 00F0: E8 69 D7 E5 FC B6 0A 4C 35 66 CC BA E5 38 12 A0 .i.....L5f...8.. ] *** main, READ: TLSv1 Handshake, length = 4 *** ServerHelloDone *** ClientKeyExchange, RSA PreMasterSecret, TLSv1 main, WRITE: TLSv1 Handshake, length = 262 SESSION KEYGEN: PreMaster Secret: 0000: 03 01 59 D3 0F F9 95 E8 DC E2 C2 4A 2B 93 79 55 ..Y........J+.yU 0010: 0B 1A 43 5E F4 0A 73 F1 13 E1 00 DF 78 55 F6 52 ..C^..s.....xU.R 0020: 4E 6A D3 2C F8 08 A1 B3 03 DF C9 5E 8C 14 8D 4E Nj.,.......^...N CONNECTION KEYGEN: Client Nonce: 0000: 51 2B DD 43 9F 71 FA FE 67 25 42 EA 7F 04 24 F0 Q+.Cq.g%B...$. 0010: 3C FC 37 70 06 E0 C0 B5 92 A3 3F 94 98 FF 4D 08 <.7p......?...M. Server Nonce: 0000: 51 2B DE B7 F9 14 78 44 4C 6E A8 EB 2F 5B 77 40 Q+....xDLn../[w@ 0010: 97 F2 A9 BF 6F 69 92 5A AD DF 37 7F 85 0C 01 F7 ....oi.Z..7..... Master Secret: 0000: 3E 9E 24 42 3D E4 82 AF AD 97 76 EF 06 EF FB FD >.$B=.....v..... 0010: C8 1A D5 7E 8E A2 74 4D E8 E7 B9 1E 60 E9 E0 6F ......tM....`..o 0020: 09 E3 56 81 FC 2D 20 D9 69 6B 26 C3 0B C5 53 5F ..V..- .ik&...S_ Client MAC write Secret: 0000: 04 30 70 7E A9 4A 1F 88 55 F8 31 31 75 36 40 35 .0p..J..U.11u6@5 0010: 25 65 24 5D %e$] Server MAC write Secret: 0000: 8B C1 65 50 6D 11 21 32 CD 50 3A AB 0F 2E A5 FC ..ePm.!2.P:..... 0010: C7 30 E6 EC .0.. Client write key: 0000: 25 D7 96 B0 9A 1F 49 95 06 4D 05 36 2E D0 38 04 %.....I..M.6..8. 0010: 0F 32 15 2E 8F 0A 6C 79 F8 ED E8 9B FE 5C 2C D8 .2....ly.....\,. Server write key: 0000: 4A 91 5D DF B2 FE 6F 35 3E 8A 21 DF 17 E0 35 F0 J.]...o5>.!...5. 0010: DB 97 4C 7E 18 07 7E 27 DD AD BC C4 C4 28 C5 E1 ..L....'.....(.. Client write IV: 0000: B6 C1 98 05 9B 37 F9 0F 4E 0C 0F 6E 08 8A 26 C9 .....7..N..n..&. Server write IV: 0000: 0E 83 27 3E 3B 40 E8 BE 4C 58 C4 5F EF E4 D3 4C ..'>;@..LX._...L main, WRITE: TLSv1 Change Cipher Spec, length = 1 *** Finished verify_data: { 23, 181, 134, 191, 68, 30, 119, 81, 239, 135, 238, 80 } *** main, WRITE: TLSv1 Handshake, length = 48 main, READ: TLSv1 Change Cipher Spec, length = 1 main, READ: TLSv1 Handshake, length = 48 *** Finished verify_data: { 254, 182, 228, 50, 121, 214, 35, 175, 100, 128, 102, 152 } *** %% Cached client session: [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA] main, WRITE: TLSv1 Application Data, length = 48 HSent: HSUP ADBASE ADTIGR ADBLOM main, READ: TLSv1 Application Data, length = 32 main, READ: TLSv1 Application Data, length = 48 main, READ: TLSv1 Application Data, length = 32 main, READ: TLSv1 Application Data, length = 32 main, WRITE: TLSv1 Application Data, length = 32 main, WRITE: TLSv1 Application Data, length = 288 ClientManager, READ: TLSv1 Application Data, length = 32 ClientManager, READ: TLSv1 Application Data, length = 96 [...] (Cut out becauseI exceeded body limit.) ClientManager, READ: TLSv1 Application Data, length = 80 ClientManager, READ: TLSv1 Application Data, length = 32 ClientManager, READ: TLSv1 Application Data, length = 80 main, WRITE: TLSv1 Application Data, length = 32 main, WRITE: TLSv1 Application Data, length = 64 Allow unsafe renegotiation: true Allow legacy hello messages: true Is initial handshake: true Is secure renegotiation: false Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for SSLv3 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1 Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_RC4_128_SHA Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Ignoring unavailable cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 A client, READ: SSLv3 Handshake, length = 112 Ignoring unavailable cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 Ignoring unavailable cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA Ignoring unavailable cipher suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA *** ClientHello, TLSv1.2 RandomCookie: GMT: 1361763651 bytes = { 47, 7, 95, 146, 25, 28, 95, 191, 146, 159, 184, 47, 149, 220, 67, 169, 121, 123, 252, 98, 0, 253, 108, 88, 108, 188, 52, 76 } Session ID: {} Cipher Suites: [TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_CAMELLIA_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5] Compression Methods: { 0 } Extension renegotiation_info, renegotiated_connection: <empty> Extension signature_algorithms, signature_algorithms: Unknown (hash:0x4, signature:0x2), SHA256withRSA, SHA1withRSA, SHA1withDSA *** %% Initialized: [Session-2, SSL_NULL_WITH_NULL_NULL] %% Invalidated: [Session-2, SSL_NULL_WITH_NULL_NULL] A client, SEND TLSv1.2 ALERT: fatal, description = handshake_failure A client, WRITE: TLSv1.2 Alert, length = 2 A client, called closeSocket() A client, handling exception: javax.net.ssl.SSLHandshakeException: no cipher suites in common
输出包含一个连接到另一个服务器的工作,然后连接到我的服务器。 我无法移除其他连接,因为我正在获取有关如何通过此连接进行连接的信息。 如果可能的话,我可以在第一次连接后启用debugging,但我不知道如何…
我删除了所有不相关的输出(我创build的输出)。
更新:
我连自己都连不上 当我创build一个SSLServerSocket和一个SSLSocket连接到它在同一个应用程序,我得到同样的错误。 但是,当我比较已启用密码套件的列表时,有两个sockets支持的套件。 我已经用最新的JDK在Windows 7 64bit上进行了testing。
更新:
我刚开始使用教程从头开始我的程序的服务器部分,神奇的是它的工作…我不知道为什么,但似乎我应该尽可能多的标准实现。 我把这个名声给了布鲁诺,因为他把最大的努力放在他的职位上。
您正在使用null
KeyManager
数组初始化您的SSLContext
。
密钥pipe理器是处理服务器证书(在服务器端)的东西,这就是你在使用javax.net.ssl.keyStore
时可能要设置的东西。
但是,正如“ JSSE参考指南”中所述 ,对第一个参数使用null
并不能完成您认为它所做的事情:
如果KeyManager []参数为null,则将为此上下文定义一个空的KeyManager。 如果TrustManager []参数为null,则将search已安装的安全提供程序以获取TrustManagerFactory的最高优先级实现,从中将获得适当的TrustManager。 同样,SecureRandom参数可能为空,在这种情况下将使用默认实现。
一个空的KeyManager
不包含任何RSA或DSA证书。 因此,所有依赖此类证书的默认密码套件都将被禁用。 这就是为什么你得到所有这些“ 忽略不可用的密码套件 ”消息,最终导致“ 没有共同的密码套件 ”消息。
如果您希望将密钥库用作密钥库,则需要加载密钥库并使用它初始化KeyManagerFactory:
KeyStore ks = KeyStore.getInstance("JKS"); InputStream ksIs = new FileInputStream("..."); try { ks.load(ksIs, "password".toCharArray()); } finally { if (ksIs != null) { ksIs.close(); } } KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory .getDefaultAlgorithm()); kmf.init(ks, "keypassword".toCharArray());
使用kmf.getKeyManagers()
作为SSLContext.init()
的第一个参数。
对于另外两个参数,由于您显然没有请求客户端证书身份validation,因此您应该将信任pipe理器保留为默认值( null
),而不是复制/粘贴可能导致漏洞的信任pipe理器,也可以使用默认的null
SecureRandom
。
这个问题可能是由于在客户端或服务器上启用的密码套件的过度操纵引起的,但我怀疑最常见的原因是服务器根本没有私钥和证书。
注意:
ssl.setEnabledCipherSuites(sc.getServerSocketFactory().getSupportedCipherSuites());
摆脱这一行。 您的服务器已经不够安全的TrustManager
。 然后使用-Djavax.net.debug=SSL,handshake,
尝试一个连接,然后将结果输出发送到此处。
自己有这个例外,我钻研了JRE源代码。 显而易见的是,这个信息相当具有误导性。 这可能意味着它所expression的意思,但更一般的意思是服务器没有所需的数据来以请求的方式响应客户端。 例如,如果密钥库中缺less证书,或者没有使用适当的algorithm生成证书,就会发生这种情况。 事实上,考虑到默认安装的密码套件,由于缺乏通用的密码套件,人们不得不花费一些时间才能真正得到这个例外。 在我的具体情况下,我用DSA的默认algorithm生成了证书,而当我需要让服务器与Firefox一起工作的时候是RSA。
对于debugging的时候,我开始像上面提到的java添加:
-Djavax.net.debug=ssl
那么你可以看到,浏览器试图使用TLSv1和docker9.1.3正在谈论TLSv1.2,所以他们没有沟通。 这就是Firefox。 Chrome希望SSLv3,所以我也加了。
sslContextFactory.setIncludeProtocols( "TLSv1", "SSLv3" ); <-- Fix sslContextFactory.setRenegotiationAllowed(true); <-- added don't know if helps anything.
我没有做大部分的原始海报做的其他东西:
// Create a trust manager that does not validate certificate chains TrustManager[] trustAllCerts = new TrustManager[] {
或者这个答案:
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory .getDefaultAlgorithm());
要么
.setEnabledCipherSuites
我创build了这样一个自签名的证书:(但我添加了.jks到文件名),并在我的jetty java代码中读取。 http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
keytool -keystore keystore.jks -alias jetty -genkey -keyalg RSA
名字和姓氏* .mywebdomain.com
看起来你正在尝试使用TLSv1.2进行连接,而TLSv1.2在服务器上没有广泛实现。 你的目的地是否支持tls1.2?
服务器
import java.net.*; import java.io.*; import java.util.*; import javax.net.ssl.*; import javax.net.*; class Test{ public static void main(String[] args){ try{ SSLContext context = SSLContext.getInstance("TLSv1.2"); context.init(null,null,null); SSLServerSocketFactory serverSocketFactory = context.getServerSocketFactory(); SSLServerSocket server = (SSLServerSocket)serverSocketFactory.createServerSocket(1024); server.setEnabledCipherSuites(server.getSupportedCipherSuites()); SSLSocket socket = (SSLSocket)server.accept(); DataInputStream in = new DataInputStream(socket.getInputStream()); DataOutputStream out = new DataOutputStream(socket.getOutputStream()); System.out.println(in.readInt()); }catch(Exception e){e.printStackTrace();} } }
客户
import java.net.*; import java.io.*; import java.util.*; import javax.net.ssl.*; import javax.net.*; class Test2{ public static void main(String[] args){ try{ SSLContext context = SSLContext.getInstance("TLSv1.2"); context.init(null,null,null); SSLSocketFactory socketFactory = context.getSocketFactory(); SSLSocket socket = (SSLSocket)socketFactory.createSocket("localhost", 1024); socket.setEnabledCipherSuites(socket.getSupportedCipherSuites()); DataInputStream in = new DataInputStream(socket.getInputStream()); DataOutputStream out = new DataOutputStream(socket.getOutputStream()); out.writeInt(1337); }catch(Exception e){e.printStackTrace();} } }
server.setEnabledCipherSuites(server.getSupportedCipherSuites()); socket.setEnabledCipherSuites(socket.getSupportedCipherSuites());
在我的情况下,我得到这个no cipher suites in common
错误,因为我已经加载了一个p12
格式的文件到服务器的密钥库,而不是一个jks
文件。